High severityNVD Advisory· Published Nov 21, 2014· Updated May 6, 2026
CVE-2014-8682
CVE-2014-8682
Description
Multiple SQL injection vulnerabilities in Gogs (aka Go Git Service) 0.3.1-9 through 0.5.x before 0.5.6.1105 Beta allow remote attackers to execute arbitrary SQL commands via the q parameter to (1) api/v1/repos/search, which is not properly handled in models/repo.go, or (2) api/v1/users/search, which is not properly handled in models/user.go.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gogs.io/gogsGo | >= 0.3.1, < 0.5.8 | 0.5.8 |
Affected products
6cpe:2.3:a:gogits:gogs:*:*:*:*:*:*:*:*+ 5 more
- cpe:2.3:a:gogits:gogs:*:*:*:*:*:*:*:*range: <=0.5.5
- cpe:2.3:a:gogits:gogs:0.3.1-9:*:*:*:*:*:*:*
- cpe:2.3:a:gogits:gogs:0.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:gogits:gogs:0.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:gogits:gogs:0.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:gogits:gogs:0.5.2:*:*:*:*:*:*:*
Patches
10c5ba4573aecfix session API broken and SQL pretection
7 files changed · +5 −12
cmd/web.go+1 −1 modified@@ -72,7 +72,7 @@ func checkVersion() { log.Fatal(4, "Package i18n version is too old, did you forget to update?(github.com/macaron-contrib/i18n)") } sessionVer := git.MustParseVersion(session.Version()) - if sessionVer.LessThan(git.MustParseVersion("0.0.3")) { + if sessionVer.LessThan(git.MustParseVersion("0.0.5")) { log.Fatal(4, "Package session version is too old, did you forget to update?(github.com/macaron-contrib/session)") } }
conf/app.ini+0 −4 modified@@ -163,10 +163,6 @@ ENABLE_SET_COOKIE = true GC_INTERVAL_TIME = 86400 ; Session life time, default is 86400 SESSION_LIFE_TIME = 86400 -; session id hash func, Either "sha1", "sha256" or "md5" default is sha1 -SESSION_ID_HASHFUNC = sha1 -; Session hash key, default is use random string -SESSION_ID_HASHKEY = [picture] ; The place to picture data, either "server" or "qiniu", default is "server"
gogs.go+1 −1 modified@@ -17,7 +17,7 @@ import ( "github.com/gogits/gogs/modules/setting" ) -const APP_VER = "0.5.6.1102 Beta" +const APP_VER = "0.5.6.1104 Beta" func init() { runtime.GOMAXPROCS(runtime.NumCPU())
models/repo.go+1 −1 modified@@ -1161,7 +1161,7 @@ func SearchRepositoryByName(opt SearchOption) (repos []*Repository, err error) { if !opt.Private { sess.And("is_private=false") } - sess.And("lower_name like '%" + opt.Keyword + "%'").Find(&repos) + sess.And("lower_name like ?", "%"+opt.Keyword+"%").Find(&repos) return repos, err }
models/user.go+1 −1 modified@@ -581,7 +581,7 @@ func SearchUserByName(opt SearchOption) (us []*User, err error) { opt.Keyword = strings.ToLower(opt.Keyword) us = make([]*User, 0, opt.Limit) - err = x.Limit(opt.Limit).Where("type=0").And("lower_name like '%" + opt.Keyword + "%'").Find(&us) + err = x.Limit(opt.Limit).Where("type=0").And("lower_name like ?", "%"+opt.Keyword+"%").Find(&us) return us, err }
modules/setting/setting.go+0 −3 modified@@ -394,9 +394,6 @@ func newSessionService() { SessionConfig.EnableSetCookie = Cfg.MustBool("session", "ENABLE_SET_COOKIE", true) SessionConfig.Gclifetime = Cfg.MustInt64("session", "GC_INTERVAL_TIME", 86400) SessionConfig.Maxlifetime = Cfg.MustInt64("session", "SESSION_LIFE_TIME", 86400) - SessionConfig.SessionIDHashFunc = Cfg.MustValueRange("session", "SESSION_ID_HASHFUNC", - "sha1", []string{"sha1", "sha256", "md5"}) - SessionConfig.SessionIDHashKey = Cfg.MustValue("session", "SESSION_ID_HASHKEY", string(com.RandomCreateBytes(16))) if SessionProvider == "file" { os.MkdirAll(path.Dir(SessionConfig.ProviderConfig), os.ModePerm)
templates/.VERSION+1 −1 modified@@ -1 +1 @@ -0.5.6.1102 Beta \ No newline at end of file +0.5.6.1104 Beta \ No newline at end of file
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
14- packetstormsecurity.com/files/129117/Gogs-Repository-Search-SQL-Injection.htmlnvdExploitWEB
- seclists.org/fulldisclosure/2014/Nov/33nvdExploitWEB
- www.exploit-db.com/exploits/35238nvdExploitWEB
- www.securityfocus.com/bid/71187nvdExploitWEB
- github.com/gogits/gogs/commit/0c5ba4573aecc9eaed669e9431a70a5d9f184b8dnvdExploitWEB
- github.com/advisories/GHSA-g6xv-8q23-w2q3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2014-8682ghsaADVISORY
- gogs.io/docs/intro/change_log.htmlnvdWEB
- packetstormsecurity.com/files/129116/Gogs-Label-Search-Blind-SQL-Injection.htmlghsaWEB
- seclists.org/fulldisclosure/2014/Nov/31ghsaWEB
- www.securityfocus.com/archive/1/533995/100/0/threadednvdWEB
- exchange.xforce.ibmcloud.com/vulnerabilities/98694nvdWEB
- github.com/gogits/gogs/releases/tag/v0.5.8ghsaWEB
- www.exploit-db.com/exploits/35238ghsaWEB
News mentions
0No linked articles in our index yet.